Michael Schroeder
Michael Schroeder
The downside is of course that the pubkey used for publishing may not need to be the pubkey for building. We have the same problem with the ssl certs, where...
Seems like systemd needs to be patched to also support detached sigs.
I don't understand this issue, as signatures done with a currently expired key are still considered ok, as long as the key was not expired when the signature was made.
And how is that a problem?
The package manager should _not_ warn about an outdated key, an outdated key is perfectly acceptable as long as the signatures were done when the key was not expired. That's...
That wouldn't help against a man-in-the-middle attacked software.opensuse.org...
I think this is caused by dnf using a call to rpmkeys for signature verification (i.e. commit https://github.com/rpm-software-management/dnf/commit/4747e369c1b5b406688ff0be5447ebd0c29575a6). SUSE uses a different database locking scheme, and importing a key via...
I'll release a maintenance update for rpm that makes it go back the a read-only lock after importing a key if it started read-only. I guess that's the easiest solution.
I don't think it makes sense to change the layout in the source if the package content stays the same.